NetScaler 11 System Configuration

Last Modified: Jan 15, 2021 @ 6:23 am

Navigation

This page contains the following topics:

💡 = Recently Updated

VPX Hardware

NetScaler VPX Release 11.0 Build 65.72 and newer supports new VPX models on ESXi. These new models include: VPX 25, VPX 5G, VPX 25G, etc. See the NetScaler VPX datasheet for more info.  💡

11.0 build 65.72 and newer firmware also supports changing the NIC type to VMXNET3 or SR-IOV. The imported appliance comes with E1000 NICs so you’ll have to remove the existing virtual NICs and add new VMXNET3 NICs.

 

NetScaler for Azure can now be upgraded to 11.0 build 65.31 or newer. It will be possible to upgrade to future releases of NetScaler firmware. More details by Thomas Goodwin at Citrix Discussions.  💡

Customer User Experience Improvement Program

  1. You might be prompted to enable the Customer User Experience Improvement Program. Either click Enable or click Skip.

  2. You can enable or disable Customer Experience Improvement Program by going to System > Settings.
  3. On the right is Change CUXIP Settings.
  4. Make your selection and click OK.
set system parameter -doppler ENABLED

Welcome Wizard

NetScaler has a Welcome! Wizard that lets you set the NSIP, hostname, DNS, licensing, etc. It appears automatically the first time you login.

  1. Click the Subnet IP Address box.
  2. You can either enter a SNIP for one of your interfaces or you can click Do it later.

    add ns ip 172.16.1.11 255.255.255.0 -type SNIP
  3. Click the Host Name, DNS IP Address, and Time Zone box.
  4. Enter a hostname. Your NetScaler Gateway Universal licenses are allocated to this hostname. In a High Availability pair each node can have a different hostname.
  5. Enter one or more DNS Server IP addresses. Use the plus icon on the right to add more servers.
  6. Change the time zone to GMT-05:00-CDT-America/Chicago or similar.
  7. Click Done.

    set ns hostname ns02
    
    add dns nameServer 192.168.123.11
    
    set ns param -timezone "GMT-05:00-CDT-America/Chicago"
  8. Click Yes to save and reboot.
  9. Click the Licenses box.
  10. You can click Add New License to license the appliance now. Or do it later.

    On the far right side of the screen is displayed the Host ID you need when allocating licenses.
    License files are stored in /nsconfig/license.
  11. Then click Continue.

Licensing – VPX Mac Address

To license a NetScaler VPX appliance, you will need its MAC address.

  1. One method is to look in the GUI.
  2. In the right pane, look down for the Host Id field. This is the MAC address you need for license allocation.
  3. Or go to System > Licenses.

  4. On the right, click Manage Licenses.
  5. Click Add New License.
  6. On the far right side of the screen the Host ID is displayed.
  7. Another option is to SSH to the appliance and run shell.
  8. Then run lmutil lmhostid. The MAC address is returned.

Licensing – Citrix.com

  1. Login to citrix.com.
  2. Click Activate and Allocate Licenses.
  3. Check the box next to a Citrix NetScaler license and click Continue.
  4. If this is a NetScaler MPX license then there is no need to enter a host ID for this license so click Continue. If this is a NetScaler VPX license, enter the lmutil lmhostid MAC address into the Host ID field and click Next.

    For a VPX appliance, you can also get the Host ID by looking at the System Information page.
  5. Click Confirm.
  6. Click OK when asked to download the license file.
  7. Click Download.
  8. Click Save and put it somewhere where you can get to it later.
  9. If you purchased NetScaler Gateway Universal Licenses, allocate them. These licenses can come from XenMobile Enterprise, XenApp/XenDesktop Platinum Edition, NetScaler Platinum Edition, or a la carte.
  10. Enter your appliance hostname as the Host ID for all licenses.
  11. Click Confirm.
  12. Click OK when prompted to download your license file.
  13. Click Download.
  14. Click Save.
  15. If you have two appliances in a High Availability pair with different hostnames then you will need to return the NetScaler Gateway Universal licenses and reallocate them to the other hostname.

Install Licenses on Appliance

  1. In the NetScaler Configuration GUI, on the left, expand System and click Licenses.
  2. On the right, click Manage Licenses.
  3. Click Add New License.
  4. If you have a license file, select Upload license files from a local computer and then click Browse.

    License files are stored in /nsconfig/license.
  5. Click Reboot when prompted. Login after the reboot.
  6. After rebooting, the Licenses node should look something like this. Notice that Maximum ICA Users Allowed is set to Unlimited.
  7. Note: the NetScaler SNMP counter allnic_tot_rx_mbits must remain less than the licensed bandwitdh or else packets will drop.

Upgrade Firmware

Citrix CTX127455How to Upgrade Software of the NetScaler Appliances in a High Availability Setup

  1. Download firmware. Ask your Citrix Partner or Citrix Support TRM for recommended versions and builds. At the very least, watch the Security Bulletins to determine which versions and builds resolve security issues. You can also subscribe to the Security Bulletins at http://support.citrix.com by clicking the Alerts link on the top right.
  2. Make sure you Save the config before beginning the upgrade.
  3. Transferring the firmware upgrade file to the appliance will be slow unless you license the appliance first. An unlicensed appliance will reduce the maximum speed to 1 Mbps.
  4. When upgrading from 10.5 or older, make sure the NetScaler Gateway Theme is set to Default or Green Bubbles. After the upgrade, you’ll have to create a new Portal Theme and bind it to the Gateway vServers.
  5. Start with the Secondary appliance.
  6. Before upgrading the appliance, consider using WinSCP or similar to back up the /flash/nsconfig directory.
  7. In the NetScaler GUI, with the top left node (System) selected, click, click System Upgrade.
  8. Browse to the build…tgz file. If you haven’t downloaded firmware yet then you can click the Download Firmware link.
  9. Click Upgrade.
  10. The firmware will upload.
  11. You should eventually see a System Upgrade window with text in it. Click Yes when prompted to reboot.
  12. Once the Secondary is done, login and failover the pair.
  13. Then upgrade the firmware on the former Primary.

 

To install firmware by using the command-line interface

  1. To upload the software to the NetScaler Gateway, use a secure FTP client (e.g. WinSCP) to connect to the appliance.
  2. Create a version directory under /var/nsinstall (e.g. /var/nsinstall/11.0.61).
  3. Copy the software from your computer to the /var/nsinstall/<version> (e.g. /var/nsinstall/11.0.61) directory on the appliance.
  4. Open a Secure Shell (SSH) client (e.g. Putty) to open an SSH connection to the appliance.
  5. At a command prompt, type shell.
  6. At a command prompt, type cd /var/nsinstall to change to the nsinstall directory.
  7. To view the contents of the directory, type ls.
  8. To unpack the software, type tar -xvzf build_X_XX.tgz, where build_X_XX.tgz is the name of the build to which you want to upgrade.
  9. To start the installation, at a command prompt, type ./installns.
  10. When the installation is complete, restart NetScaler.
  11. When the NetScaler restarts, at a command prompt type what or show version to verify successful installation.

High Availability

Configure High Availability as soon as possible so almost all configurations are synchronized across the two appliances. The exceptions are mainly network interface configurations.

High Availability will also sync files between the two appliances. See CTX138748 File Synchronization in NetScaler High Availability Setup for more information.

  1. Prepare the secondary appliance:
    1. Configure a NSIP.
    2. Don’t configure a SNIP. You can click Do It Later to skip the wizard.
    3. Configure Hostname and Time Zone. Don’t configure DNS since you’ll get those addresses when you pair it.
    4. License the secondary appliance.
    5. Upgrade firmware on the secondary appliance. The firmware of both nodes must be identical.
  2. On the secondary appliance, go to System > High Availability, double-click the local node, and change High Availability Status to STAY SECONDARY. If you don’t do this then you run the risk of losing your config when you pair the appliances. See Terence Luk Creating a Citrix NetScaler High Availability pair without wiping out an existing configuration for more information.


    set ha node -hastatus STAYSECONDARY
  3. On the primary appliance, on the left, expand System, expand Network and click Interfaces.
  4. On the right, look for any interface that is currently DOWN. You need to disable those disconnected interfaces before enabling High Availability. Right-click the disconnected interface and click Disable. Repeat for the remaining disconnected interfaces.

    show interface
    disable interface 1/1
  5. On the left, expand System and click High Availability.
  6. On the right, click Add.
  7. Enter the other NetScaler’s IP address.
  8. Enter the other NetScaler’s login credentials and click Create.

    add ha node 1 192.168.123.14
    Note: this command must be run separately on each appliance.
  9. If you click the refresh icon near the top right, Synchronization State will probably say IN PROGRESS.

    Eventually it will say SUCCESS.
  10. To enable Fail-safe mode, edit Node ID 0 (the local appliance).
  11. Under Fail-safe Mode, check the box next to Maintain one primary node even when both nodes are unhealthy. Scroll down and click OK.
    set ha node -failSafe ON
  12. If you login to the Secondary appliance, you might see a message warning you against making changes. Always apply changes to the Primary appliance.
  13. On the secondary appliance, go to System > High Availability, double-click the local node, and change it from STAY SECONDARY to ENABLED.
  14. From the CLI, run “sh ha node” to see the status. You should see heartbeats on all interfaces. If not, configure VLANs as detailed in the next section.
  15. You can force failover of the primary appliance by opening the Actions menu, and clicking Force Failover.

    force ha failover
    If your firewall (e.g. Cisco ASA) doesn’t like Gratuitous ARP, see CTX112701 – The Firewall Does not Update the Address Resolution Protocol Table

Multiple Interfaces – VLANs

Citrix CTX214033 Networking and VLAN Best Practices for NetScaler discusses many of the same topics detailed in this section.

 

Channels: You should never connect multiple interfaces to a single VLAN unless you are bonding the interfaces using LACP, Manual Channel, or the new Redundant Interface Set feature. See Webinar: Troubleshooting Common Network Related Issues with NetScaler.

NetScaler VPX defaults to two connected interfaces, so if you only have one subnet, disconnect one of those interfaces.

A Redundant Interface Set is configured almost identically to a Manual Channel except that the Channel ID starts with LR instead of LA.

 

Common interface configuration: Here is a common NetScaler networking configuration for a NetScaler that is connected to both internal and DMZ.

Note: If the appliance is connected to both DMZ and internal then be aware that this configuration essentially bypasses (straddles) the DMZ-to-internal firewall. That’s because if a user connects to a public/DMZ VIP, then NetScaler could use an internal SNIP to connect to the internal server. A more secure approach is to have different appliances for internal and DMZ. Or use NetScaler SDX, partitioning, or traffic domains.

  • 0/1 connected to a dedicated management network. NSIP is on this network.
    • 0/1 is not optimized for high throughput so don’t put data traffic on this interface. If you don’t have a dedicated management network, then put your NSIP on one of the other interfaces (1/1, 10/1, etc.) and don’t connect any cables to 0/1.
    • To prevent NetScaler from using this interface for outbound data traffic, don’t put a SNIP on this network, and configure the default gateway to use a different data network. However, if there’s no SNIP, and if default gateway is on a different network,  then there will be asymmetric routing for management traffic since inbound is 0/1 but outbound is LA/1. To work around this problem, enable Mac Based Forwarding. Or create a Policy Based Route.
    • It’s easiest if the switch port for this interface is an Access Port (untagged). If VLAN tagging is required, then NSVLAN must be configured on the NetScaler.
  • 10/1 and 10/2 in a LACP port channel (LA/1) connected to internal VLAN(s). Static routes to internal networks through a router on one of these internal VLANs.
    • If only one internal VLAN, configure the switch ports/channel as an Access Port.
    • If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
    • If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.
  • 1/1 and 1/2 in a LACP port channel (LA/2) connected to DMZ VLAN(s). Default gateway points to a router on a DMZ VLAN so replies can be sent to Internet clients.
    • If only one internal VLAN, configure the switch ports/channel as an Access Port.
    • If multiple internal VLANs, configure the switch ports/channel as a Trunk Port. Set one of the VLANs as the channel’s Native VLAN so it doesn’t have to be tagged.
    • If the networking team is unwilling to configure a Native VLAN on the Trunk Port, then NetScaler needs special configuration (tagall) to ensure HA heartbeat packets are tagged.

 

SNIPs: You will need one SNIP for each connected subnet. VLAN objects (tagged or untagged) bind the SNIPs to particular interfaces. NetScaler uses the SNIP’s subnet mask to assign IP addresses to particular interfaces.

 

NSIP: The NSIP subnet is special so you won’t be able to bind it to a VLAN. Use the following SNIP/VLAN method for any subnet that does not have the NSIP. The remaining interfaces will be in VLAN 1, which is the VLAN that the NSIP is in. VLAN 1 is only locally significant so it doesn’t matter if the switch is configured with it or not. Just make sure the switch has a native VLAN configured, or configure the interface as access port. If you require trunking of every VLAN, including the NSIP VLAN, then additional configuration is required (NSVLAN or Tagall).

 

To configure multiple connected subnets:

  1. On the left, expand System, and click Settings.
  2. On the right, in the left column, click Configure modes.
  3. Check the box next to MAC Based Forwarding and click OK. This configures the NetScaler to respond on the same interface the request came in on and thus bypasses the routing table. This setting can work around misconfigured routing tables. More info on MAC Based Forwarding can be found at Citrix CTX1329532 FAQ: Citrix NetScaler MAC Based Forwarding (MBF).

    enable mode mbf
  4. Add a subnet IP for every network the NetScaler is connected to, except the dedicated management network. Expand System, expand Network, and click IPs.
  5. On the right, click Add.
  6. Enter the Subnet IP Address for this network. This is the source address the NetScaler will use when communicating with any other service on this network. The Subnet IP can also be referred to as the Interface IP for the network. You will need a separate SNIP for each connected network (VLAN).
  7. Enter the netmask for this network. When you create a VLAN object later, all IPs on this subnet will be bound to an interface.
  8. Ensure the IP Type is set to Subnet IP. Scroll down.

    add ns ip 172.16.1.11 255.255.255.0 -type SNIP
  9. Under Application Access Controls decide if you want to enable GUI management on this SNIP. This is particularly useful for High Availability pairs, because when you point your browser to the SNIP only the primary appliance will respond. However, enabling management access on the SNIP can be a security risk, especially if this is a SNIP for the DMZ network.
  10. Click Create when done. Continue adding SNIPs for each connected network (VLAN).

    set ns ip 172.16.1.11 -mgmtAccess ENABLED -telnet DISABLED -ftp DISABLED
  11. On the left, expand System, expand Network and click VLANs.
  12. On the right, click Add.
  13. Enter a descriptive VLAN ID. The actual VLAN ID only matters if you intend to tag the traffic. If not tagged then any ID will work.
  14. Check the box next to one physical interface or channel (e.g. LA/1) that is connected to the network.
  15. If this is a trunk port, select Tagged if the switch port/channel is expecting the VLAN to be tagged.
  16. If you don’t tag the VLAN, then the NetScaler interface/channel is removed from VLAN 1 and instead put in this VLAN ID.
  17. Switch to the IP Bindings tab.
  18. Check the box next to the Subnet IP for this network. This lets NetScaler know which interface is used for which IP subnet. Click Create when done.

    add vlan 50
    bind vlan 50 -ifnum LA/1 -IPAddress 172.16.1.11 255.255.255.0
    
  19. The default route should use the router in the DMZ, not the internal router. Most likely the default route is set to an internal router. On the left, expand System, expand Network and click Routes.
  20. On the right, click Add.
  21. Internal networks are only accessible through an internal router. Add a static route to the internal networks and set the Gateway to an internal router. Then click Create.

    add route 192.168.0.0 255.255.0.0 192.168.123.1
  22. Before deleting the existing default route, either enable Mac Based Forwarding, or create a Policy Based Route, so that the replies from NSIP can reach your machine. To create a PBR, go to System > Network > PBRs.
  23. The source IP is the NSIP, and next hop is a router on the same network as the NSIP. Destination is not needed.
  24. Then open the Action menu, and click Apply.

    add ns pbr NSIP ALLOW -srcIP = 10.2.2.59 -nextHop 10.2.2.1
    apply ns pbrs
  25. Go back to System > Network > Routes. On the right, delete the 0.0.0.0 route. Don’t do this unless the NetScaler has a route to the IP address of the machine you are running the NetScaler Configuration Utility on.

    rm route 0.0.0.0 0.0.0.0 192.168.123.1
  26. Then click Add.
  27. Set the Network to 0.0.0.0 and the Netmask to 0.0.0.0. Enter the IP address of the DMZ router and click Create.

    add route 0.0.0.0 0.0.0.0 172.16.1.1

DNS Servers

  1. To configure DNS servers, expand Traffic Management, expand DNS and click Name Servers.
  2. On the right, click Add.
  3. Enter the IP address of a DNS server and click Create.
  4. Note: The NetScaler must be able ping each of the DNS servers or they will not be marked as UP. The ping originates from the SNIP. If you are unwilling to enable Ping then you will need to load balance your DNS servers on the local NetScaler appliance.

    add dns nameServer 192.168.123.11

NTP Servers

  1. On the left, expand System, and click NTP Servers.
  2. On the right, click Add.
  3. Enter the IP Address of your NTP Server (or pool.ntp.org) and click Create.

    add ntp server pool.ntp.org
  4. Open the Action menu and click NTP Synchronization.
  5. Select ENABLED and click OK.

    enable ntp sync
  6. You can click the System node to view the System Time.
  7. If you need to manually set the time, SSH (Putty) to the NetScaler appliances. Run date to set the time. Run date –help to see the syntax.
  8. Ntpdate –u pool.ntp.org will cause an immediate NTP time update.

 

Citrix Knowledgebase article CTX200286 – NTP Configuration on NetScaler to Avoid Traffic Amplification Attack:

  1. Replace the following line in /etc/ntp.conf file, if it exists:
    >  restrict default ignore
  2. Add the following lines in file /etc/ntp.conf:
    # By default, exchange time with everybody, but don't allow configuration:
    restrict -4 default kod notrap nomodify nopeer noquery
    restrict -6 default kod notrap nomodify nopeer noquery
    
    # Local users may interrogate the ntp server more closely:
    
    restrict 127.0.0.1
    restrict ::1
  3. Restart NTP using the following commands:
    > shell
    root@ns# ps -aux |grep "ntp"
    root@ns# kill <PID obtained from step above>
    root@ns# /usr/sbin/ntpd -g -c /flash/nsconfig/ntp.conf

 

Citrix Knowledgebase Article CTX200355 – Citrix Security Advisory for NTP VulnerabilitiesBy default, NTP is disabled on the NetScaler and, as such, is not vulnerable to CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296. However, in deployments where customers have enabled NTP on the appliance, it is likely that these vulnerabilities will impact NetScaler.

We recommend that customers apply the following remediation:

Open the NetScaler’s ntp.conf file in /etc and add the following lines:

restrict -4 default notrap nopeer nomodify noquery
restrict -6 default notrap nopeer nomodify noquery

In addition to adding the above two lines, all other ‘restrict‘ directives should be reviewed to ensure that they contain both ‘nomodify‘ and ‘noquery‘ and that the file contains no ‘crypto‘ directives.

When this editing is complete, save the file and copy it to the /nsconfig directory. The NTP service must then be restarted for the changes to take effect. As with all changes, Citrix recommends that this is evaluated in a test environment prior to releasing to production.

SYSLOG Server

Citrix CTX120609 NetScaler Log Rotation and Configuration Using Newsyslog

The NetScaler will by default store a few syslogs on the local appliance. You can create a syslog policy to also send the syslog entries to an external server, like Citrix Command Center.

  1. On the left, expand System, expand Auditing, and click Syslog.
  2. On the right, switch to the Servers tab and click Add.
  3. Enter a name for the Syslog server.
  4. Specify the IP Address of the SYSLOG server, 514 as the port, and the Log Levels you’d like to send to it.
  5. Check the box for TCP Logging if you want the client IP. Note: TCP Logging requires significant disk space on the Syslog server.
  6. Select your desired Time Zone and then click Create.

    add audit syslogAction CommandCenter 192.168.123.12 -logLevel ALL -timeZone LOCAL_TIME
  7. On the right, switch to the Policies tab, and then click Add.
  8. Give the policy a descriptive name, select the Syslog server, and then click Create.

    add audit syslogPolicy CommandCenter ns_true CommandCenter
  9. While still on the Policies tab, open the Actions menu and click Global Bindings.
  10. Click the arrow next to Click to select.
  11. Select the Syslog policy you want to bind and click Select.
  12. Click Bind.
  13. Select the Syslog policy you want to bind and click Select.
  14. Then click Bind.
  15. Click Done.

    bind system global CommandCenter -priority 100

SNMP – MIB, Traps, and Alarms

  1. On the left, expand System, and click SNMP.
  2. On the right, click Change SNMP MIB.
  3. Change the fields as desired. Your SNMP tool (e.g. NetScaler Management and Analytics System) will read this information. Click OK.
  4. This configuration needs to be repeated on the other node.

    set snmp mib -contact NSAdmins@corp.com -name ns02 -location Corp
  5. Expand System, expand SNMP, and click Community.
  6. On the right, click Add.
  7. Specify a community string and the Permission and click Create.

    add snmp community public GET
  8. On the left, under SNMP, click Traps.
  9. On the right, click Add.
  10. Specify a trap destination and Community Name and click Create.

    add snmp trap generic 192.168.123.12 -communityName public
    add snmp trap specific 192.168.123.12 -communityName public
  11. On the left, under SNMP, click Managers.
  12. On the right, click Add. Note: if you do not add a manager then the NetScaler will accept SNMP queries from all SNMP Managers on the network.
  13. Change the selection to Management Network.
  14. Specify the IP of the Management Host and click Create.

    add snmp manager 192.168.123.12
  15. The Alarms node allows you to enable SNMP Alarms and configure thresholds.
  16. You can open an alarm to set thresholds. For example, CPU-USAGE can be set to 90% alarm and 50% normal with a Critical severity.

    set snmp alarm CPU-USAGE -thresholdValue 90 -normalValue 50 -severity Critical
  17. You can also configure the MEMORY alarm.

    set snmp alarm MEMORY -thresholdValue 90 -normalValue 50 -severity Critical

From http://www.slideshare.net/masonke/net-scaler-tcpperformancetuningintheaolnetwork: In addition to the usual OIDs, we have found these very useful to warn of potential problems.

  • ifTotXo?Sent – .1.3.6.1.4.1.5951.4.1.1.54.1.43
  • ifnicTxStalls – .1.3.6.1.4.1.5951.4.1.1.54.1.45
  • ifErrRxNoBu?s – .1.3.6.1.4.1.5951.4.1.1.54.1.30
  • ifErrTxNoNSB – .1.3.6.1.4.1.5951.4.1.1.54.1.31

Call Home

Citrix Blog Post – Protect Your NetScaler From Disaster With Call Home!: If you have a physical NetScaler (MPX or SDX) with an active support contract, you many optionally enable Call Home to automatically notify Citrix Technical Support of hardware and software failures.

  1. On the left, expand System and click Diagnostics.
  2. On the right, in the left column, in the Technical Support Tools section, click Call Home.
  3. Check the box next to Enable Call Home.
  4. Optionally enter an email address to receive notifications from Citrix Technical Support. Click OK.
  5. If you go back into Call Home, it should indicate if registration succeeded or failed. Successful registration requires an active support contract.

Change nsroot Password

  1. Expand System, expand User Administration and click Users.
  2. On the right, right-click nsroot, and click Change Password.
  3. Specify a new password and click OK.

    set system user nsroot Passw0rd

TCP, HTTP, SSL, and Security Settings

Citrix Knowledgebase articles:

 

  1. On the left, expand System and click Settings.
  2. On the right side of the right pane, click Change TCP parameters.
  3. Check the box for Window scaling (near the top).
  4. Scroll down and check the box for Selective Acknowledgement. Click OK.

    set ns tcpParam -WS ENABLED -SACK ENABLED
  5. On the right, click Change HTTP parameters.
  6. Under Cookie, change the selection to Version1. This causes NetScaler to set Cookie expiration to a relative time instead of an absolute time.

    set ns param -cookieversion 1
  7. Check the box next to Drop invalid HTTP requests.
  8. Scroll down and click OK.

    set ns httpParam -dropInvalReqs ON
  9. You can run the following command to see statistics on the dropped packets:
    nsconmsg -g http_err_noreuse_ -d stats
  10. See CTX209398 Addressing false positives from CBC and MAC vulnerability scans of SSHD to harden SSHD by editing /nsconfig/sshd_config with the following. Then run kill -HUP `cat /var/run/sshd.pid` to restart SSHD.  💡
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr
    MACs hmac-sha1,hmac-ripemd160
  11. Implement Responder policies to prevent Shellshock attack against back-end web servers. See Citrix CTX200277 NetScaler Defends Against Shellshock Attack.
    add audit messageaction ShellShock_Log CRITICAL "\"The request was sent from \" +CLIENT.IP.SRC + \" Bash Code Injection Vulnerability\"" -bypassSafetyCheck YES
    
    add responder policy ShellShock_policy "HTTP.REQ.FULL_HEADER.REGEX_MATCH(re/\(\)\s*{/) || HTTP.Req.BODY(1000).REGEX_MATCH(re/\(\)\s*{/) || HTTP.REQ.URL.QUERY.REGEX_MATCH(re/\(\)(\s*|\++){/) || HTTP.REQ.BODY(1000).REGEX_MATCH(re#%28%29[+]*%7B#)" DROP ?logAction ShellShock_Log
    
    bind responder global ShellShock_policy 10 END -type REQ_DEFAULT

The following security configurations are detailed by Jason Samuel at Mitigating DDoS and brute force attacks against a Citrix Netscaler Access Gateway:

  • Maximum logon attempts on NetScaler Gateway Virtual Server
  • Rate Limiting for IP.SRC and HTTP.REQ.URL.
  • nstcp_default_XA_XD_profile TCP profile on the NetScaler Gateway Virtual Server.
  • Syslog logging
  • External website monitoring
  • Obfuscate the Server header in the HTTP response
  • Disable management access on SNIPs
  • Change nsroot strong password, use LDAP authentication, audit local accounts
  • Don’t enable Enhanced Authentication Feedback
  • SSL – disable SSLv3, deny SSL renegotiation, enable ECDHE ciphers, disable RC4 ciphers. Also see Anton van Pelt Make your NetScaler SSL VIPs more secure (Updated) .
  • 2-factor authentication
  • Command Center and Insight Center
  • Review IPS/IDS & Firewall logs

Management Authentication

Load balancing of authentication servers is strongly recommended since during an authentication attempt only one LDAP server is chosen. If you instead bind multiple LDAP servers, it would try all of them, and for incorrect passwords, it will lock out the user sooner than expected.

  1. Expand System, expand Authentication, and then click LDAP.
  2. On the right, switch to the Servers tab. Then click Add.
  3. Enter LDAPS-Corp-Mgmt or similar as the name. If you have multiple domains, you’ll need a separate LDAP Server per domain so make sure you include the domain name. Also, the LDAP policy used for management authentication will be different than the LDAP policy used for NetScaler Gateway.
  4. Change the selection to Server IP. Enter the VIP of the NetScaler load balancing vServer for LDAP.
  5. Change the Security Type to SSL.
  6. Enter 636 as the Port. Scroll down.
  7. In the Connection Settings section, enter your Active Directory DNS domain name in LDAP format as the Base DN.
  8. Enter the credentials of the LDAP bind account in userPrincipalName format.
  9. Check the box next to BindDN Password and enter the password. Scroll down.
  10. In the Other Settings section, use the drop-down next to Server Logon Name Attribute, Group Attribute, and Sub Attribute Name to select the default fields for Active Directory.
  11. On the right, check the box next to Allow Password Change.
  12. It is best to restrict access to only members of a specific group. In the Search Filter field, enter memberOf=<GroupDN>. See the example below:
    memberOf=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local
    You can add :1.2.840.113556.1.4.1941: to the query so it searches through nested groups. Without this users will need to be direct members of the filtered group.
    memberOf:1.2.840.113556.1.4.1941:=CN=NetScaler Administrators,OU=Citrix,DC=corp,DC=local

    An easy way to get the full distinguished name of the group is through Active Directory Administrative Center. Double-click the group object and switch to the Extensions page. On the right, switch to the Attribute Editor tab.
    Scroll down to distinguishedName, double-click it and then copy it to the clipboard.

    Back on the NetScaler, in the Search Filter field, type in memberOf= and then paste the Distinguished Name right after the equals sign. Don’t worry about spaces.
  13. Scroll down and click Nested Group Extraction to expand it.
  14. If desired, change the selection to Enabled.
  15. Set the Group Name Identifier to samAccountName.
  16. Set Group Search Attribute to –<< New >>– and enter memberOf.
  17. Set Group Search Sub-Attribute to –<< New >>– and enter CN.
  18. Example of LDAP Nested Group Search Filter Syntax

  19. Scroll down and click Create.

    add authentication ldapAction Corp-Mgmt -serverIP 10.2.2.210 -serverPort 636 -ldapBase "dc=corp,dc=local" -ldapBindDn "corp\\ctxsvc" -ldapBindDnPassword Passw0rd -ldapLoginName samaccountname -searchFilter "memberOf=CN=NetScaler Admins,CN=Users,DC=corp,DC=local" -groupAttrName memberOf -subAttributeName CN -secType SSL -passwdChange ENABLED
  20. Switch to the Policies tab and click Add.
  21. Enter the name LDAPS-Corp-Mgmt or similar.
  22. Select the previously created LDAPS-Corp-Mgmt server.
  23. On the bottom, in the Expressions area, type in ns_true.
  24. Click Create.

    add authentication ldapPolicy Corp-Mgmt ns_true Corp-Mgmt
  25. Click Global Bindings in the right pane.
  26. Click where it says Click to select.
  27. Select the newly created LDAP policy, and click Select.
  28. Click Bind.
  29. Click Done.

    bind system global Corp-Mgmt
  30. Under System, expand User Administration and click Groups.
  31. On the right, click Add.
  32. In the Group Name field, enter the case sensitive name of the Active Directory group containing the NetScaler administrators.
  33. In the Command Policies section, click Insert.
  34. Select the superuser policy, and click Insert.
  35. Click Create.

    add system group "NetScaler Admins" -timeout 900
    bind system group "NetScaler Admins" -policyName superuser 100
  36. Now you should be able to login to NetScaler using an Active Directory account.

CLI Prompt

  1. When you connect to the NetScaler CLI prompt, by default, the prompt is just a >.
  2. You can run set cli prompt %u@%h to make it the same as a UNIX prompt. See Citrix Docs for the cli prompt syntax.

Backup and Restore

11.0 build 64 has an improved backup and restore mechanism.

  1. Go to System > Backup and Restore.

  2. On the right, click the Backup button.
  3. Give the backup file a name.
  4. For Level, select Full and click Backup.
  5. Once the backup is complete, you can download the file.

To restore:

  1. If you want to restore the system and if the backup file is not currently on the appliance, you click the Backup button. Yes, this seems backwards.
  2. Change the selection to Add.
  3. Browse Local to the previously downloaded backup file.
  4. Then click Backup. This uploads the file to the appliance and adds it to the list of backup files.
  5. Now you can right-click the backup and click Restore.

Next Steps

Return to NetScaler Procedures list

44 thoughts on “NetScaler 11 System Configuration”

  1. Currently still have 2 – 7500 and 2 – 8005 Netscalers in production running on 11.1 that was upgraded from 10.5 a couple years ago. As part of the new vulnerability fix from Citrix, I was going to apply it to these boxes.

    As I was brushing up on the steps, I noticed Citrix says to revert custom logon pages to default and you say anything 10.5 or older needs to be returned to default. I don’t remember doing this when I upgraded from 10.5 to 11.1.

    Does this step need to happen going from 11.1 to the new fix? Do my newer 12.1 ADC’s need to take this step when those patches become available? Thanks!

    1. When upgrading from older than 10.5 to something 10.5 or newer, then the global theme should be Default and then you re-create your logon page customizations as a Portal Theme and bind to the Gateway. Once you have Portal Themes, you don’t have to worry about upgrades breaking your customizations any more.

  2. Thank you! I searched the entirety of the internet and had a case open with Citrix to find a way to change my default route to my DMZ net rather than the management net it defaults to. It crashed my Netscaler every time. Tech support came to the conclusion that it was not something they could assist with because it was outside the scope of technical support now that the system was in production, and should have been addressed during the design and implementation phase. Yours is the only documentation I’ve found that covers this. Your articles are always very helpful and most appreciated!

  3. Carl,
    I’m a bit confused about the NetScaler VPX licensing. I have an NS VPX version 11.1.58.13, which shows a platinum license however I do not see a license file under manage licenses, it’s been up at least 5 months now so this can’t be the evaluation license (can it?) how is this possible. I then set up an HA node as secondary to this one and after syncing it shows a standard license. Some features show the yellow warning (expectedly I suppose).

    Do you know what’s going on here? Is this because the license was assigned by code?
    Any help would be useful as I am a bit unclear about the NS licensing in general.

    Thanks as always.

      1. Yes I it was I realized after the fact that the licensing was assigned in the SDX configuration for the instance.
        Thank you for the follow up.

        One thing that confuses me still is for Enterprise NS licenses you see unlimited ICA and 1000 gateway licenses, given this, is there any need to use a license file for Enterprise VPX if you have less than 1000 users (XenApp only)? Or am I not understanding Citrix NS licensing.

        1. ICA Only is always unlimited.

          Gateway licenses are for SmartAccess, VPN, etc. That’s the 1000 license limit. The “ICA Only” checkbox on the Gateway Virtual Server determines which type of license is consumed. Newer versions of NetScaler ADC come with built-in Gateway licenses and you can install more.

  4. Hello Carl !
    I Need to do a lab So here is my config and I want to create
    1 Create a VM with pfsense. Add 2 IP
    1 First IP simulating a public IIP (for example 131.10.12.11)
    Second IP 172.10.0.1)
    After Installating my NSIP with 172.10.0.10
    So I will after go on my Pfsense and do a nat rule : all 443 will go on 172.10.0.10
    After I create A second Firewall with 2 IP
    1 FIST IP 192.168.1.1
    Second IP 10.10.0.1
    So I go on NS and create a SNIP of 10.10.0.10

    Is this correct ?

      1. Hello Carl
        If I place NS inside the secure network
        When I will configure NS Gateway
        Can I setup the vserver VIP with
        The ip public My isp give me
        So for exemple the vip will be
        22.23.45,12 and the SNIP and
        NSIP will be in my internal lam
        192.168.1.0/24
        Is it ok ?

  5. Citrix recommends using Nagle’s algorithm but you don’t mention it here. I’m just curious to know if you’ve run into any problems with it?

    Also, I’m on 11.0 Build 68.10. My environment is 7.11. Should I consider moving to 11.1 or wait a bit longer?

    I’m new to Citrix and would be stuck without your site. Thank you!

    1. Nagle’s has different results depending on the traffic type. The XA_XD profile enables Nagle’s. I probably wouldn’t enable it globally.

      11.1 build 49 was just released. I would not have recommended the prior two builds.

  6. Hello Carl,

    I am having an issue with my Netscalers MPX. I am using the Citrix Insight Service to try and find out what is going on. I have a crash file in the /var/core dir. I am trying to figure out how to upload that to the CIS. The information I am finding looks like it is for the older Netscaler versions.

    Any help would be much appreciated.

  7. Hi Carl,

    I have a question about HA pairs located on 2 different subnets. I have 2 physical locations and I want to put the 2 Netscalers in a HA pair between the 2 sites. The 2 sites have free flowing traffic between an ELAN connection. I can join the Netscalers in an HA pair without issue and settings are replicated to the secondary. I have a XenApp environment in the same physical location as the primary, that is the 192.168.1.x network. The secondary is on the 192.168.2.x network.

    My issue is, when I turn off the primary netscaler the secondary does not respond to requests for my Xenapp vserver. I cannot even ping the IP address. I also cannot ping my load balanced virtual servers. The secondary does have a SNIP on the 192.168.1.x network. Is it possible for HA pairs to work across 2 subnets? I am led to believe that it is because of INC being an option. I opened a ticket with Citrix and they didn’t help me at all.

    Currently I have one network interface and one VLAN configured on both Netscalers.

    Any help is appreciated.

    1. Are you saying your VIP VLAN is stretched so the VIP can move across either appliance? If not then they need to be independent appliances and use GSLB instead.

      1. Thank you for the quick response. Unfortunately I am not licensed for GSLB, I have a standard license. I am not familiar with the term stretched VLAN. Is that a Netscaler term or general networking?

        Sorry I forgot to add the point of all this is for disaster recovery purposes.

        1. Stretched VLAN is a networking term.

          INC means each node has different management network. However, the VIPs need to be on the same L2 network. That’s because each failover means the new node does a Gratuitous ARP.

          If your VIPs on different VLANs then you might have to use DNS failover instead. Since you don’t have GSLB, you’ll have to manually change DNS records to point to the IPs.

          HA pair is designed for a single datacenter. It is not intended for DR.

    1. I’m starting to deploy 11.0 build 65. But others are staying with Safe Harbor (10.5 build 61).

    2. Thanks I appreciate the recommended build. Another question: am having the dns servers snowing as effective state down. Any pointers? I tried adding a route as mentioned in ctx127622

      1. NetScaler uses SNIP to ping the DNS server. You can do a nstcpdump.sh host and see what’s not working.

      2. Thanks Carl, all good with the DNS after correcting the route netmask. Only thing is mysteriously the added routes keep getting deleted and/or changed at times. Is there a way to find out a history of machines connected to the NetScaler via nsroot, etc. or overall recommendation. It seems someone is changing the config at different times.

        1. Look in /var/log/ns.log. Or configure a Syslog server and check there.

          SNMP Traps are also sent when the config changes.

  8. Hi Carl,
    on step 35 you are missing a CLI command. You don’t create the group before binding it:
    add system group “NetScaler Admins” -timeout 900
    bind system group “NetScaler Admins” -policyName superuser 100
    Keep on the great work!

  9. hi Carl i have a big issue with my netscaler, whenever i import my purchased licenses vpx 200 standard the gateway access platform and the concurrent universal licenses and i delte the platinum trial license everything on the gateway part of the netscaler is gone , virtual gateway server no more , no more policies , i tried licensing the gateway platform and universal licenses both by hostname and by host id(by mac), but when imported got the same result after reboot gateway configuration part is gone:((((

    1. In the top left corner, does it say (1)? If so then the license isn’t allocated correctly. The Std license should be allocated to the MAC address.

      1. nope it says vpx 200, is strange , i think i will try to import the licenses manually , also i could not update the firmware from the interface i could only do it manually with winscp and shell commands , do you use in the tutorial a functionality which is only available on the platinum edition and when i do the import of the vpx 200 standard and delete trial license somehow my configuration get broken because of that setting? also i saw that i could actually edit the ns.conf and copy the previous settings before the import of the licenses because i cant find any explanation

        1. If you reboot while unlicensed you will lose certificates. If you then save the config, they’ll be permanently gone. Simply restoring an older ns.conf should fix it.

          Firmware updates have been troublesome. I almost always do them from the CLI.

  10. Absolutely excellent documentation, Carl! So very helpful with a new deployment. Just a heads up, in step 22 of the “Multiple Interfaces – VLANs” section, based on the screenshot, I believe you may have intended the command to be “add route 0.0.0.0 0.0.0.0 172.16.1.1” instead of “add route 0.0.0.0 0.0.0.0 192.168.123.1”. Keep up the great work!

  11. Hi Carl

    Greate Job! It would be perfect if you could define what is the difference between modes and features of Netscaler!

    1. My goal with these pages is to provide common production-quality build procedures and I call out modes and features when needed. Anything beyond that can be learned by reading http://docs.citrix.com, training classes, or working with a Citrix Partner. NetScaler is capable of much more than what I have documented here.

Leave a Reply

Your email address will not be published. Required fields are marked *